Configure proxy for hybrid nodes
If you are using a proxy server in your on-premises environment for traffic leaving your data center or edge environment, you need to configure your operating system, containerd, kubelet, and kube-proxy to use your proxy server. You must configure kube-proxy after creating your Amazon EKS cluster. You can make the changes for your operating system, containerd, and the kubelet during the build process for your operating system images or before you run nodeadm init on each hybrid node.
Node-level configuration
The configurations in this section must be applied in your operating system images or before running nodeadm init on each hybrid node.
containerd proxy configuration
containerd is the default container management runtime for Kubernetes. If you are using a proxy for internet access, you must configure containerd so it can pull the container images required by Kubernetes and Amazon EKS.
Create a file on each hybrid node called http-proxy.conf in the /etc/systemd/system/containerd.service directory with the following contents. Replace proxy-domain and port with the values for your environment.
[Service] Environment="HTTP_PROXY=http://proxy-domain:port“ Environment="HTTPS_PROXY=http://proxy-domain:port“ Environment="NO_PROXY=localhost"
Kubelet proxy configuration
kubelet is the Kubernetes node agent that runs on each Kubernetes node and is responsible for managing the node and pods running on it. If you are using a proxy in your on-premises environment, you must configure the kubelet so it can communicate with your Amazon EKS cluster’s public or private endpoints.
Create a file on each hybrid node called http-proxy.conf in the /etc/systemd/system/kubelet.service.d/ directory with the following content. Replace proxy-domain and port with the values for your environment.
[Service] Environment="HTTP_PROXY=http://proxy-domain:port“ Environment="HTTPS_PROXY=http://proxy-domain:port“ Environment="NO_PROXY=localhost"
Operating system proxy configuration
If you are using a proxy for internet access, you must configure your operating system to be able to pull the hybrid nodes dependencies from your operating systems' package manager.
Ubuntu
-
Configure
snapto use your proxy with the following commands:sudo snap set system proxy.https=http://proxy-domain:port sudo snap set system proxy.http=http://proxy-domain:port -
To enable proxy for
apt, create a file calledapt.confin the/etc/apt/directory. Replace proxy-domain and port with the values for your environment.Acquire::http::Proxy "http://proxy-domain:port"; Acquire::https::Proxy "http://proxy-domain:port";
Amazon Linux 2023 and Red Hat Enterprise Linux
-
Configure
yumto use your proxy. Create a file/etc/yum.confwith the proxy-domain and port values for your environment.proxy=http://proxy-domain:port
Cluster wide configuration
The configurations in this section must be applied after you create your Amazon EKS cluster and before running nodeadm init on each hybrid node.
kube-proxy proxy configuration
Amazon EKS automatically installs kube-proxy on each hybrid node as a DaemonSet when your hybrid nodes join the cluster. kube-proxy enables routing across services that are backed by pods on Amazon EKS clusters. To configure each host, kube-proxy requires DNS resolution for your Amazon EKS cluster endpoint.
-
Edit the
kube-proxyDaemonSet with the following commandkubectl -n kube-system edit ds kube-proxyThis will open the
kube-proxyDaemonSet definition on your configured editor. -
Add the environment variables for
HTTP_PROXYandHTTPS_PROXY. Note theNODE_NAMEenvironment variable should already exist in your configuration. Replaceproxy-domainandportwith values for your environment.containers: - command: - kube-proxy - --v=2 - --config=/var/lib/kube-proxy-config/config - --hostname-override=$(NODE_NAME) env: - name: HTTP_PROXY value: http://proxy-domain:port - name: HTTPS_PROXY value: http://proxy-domain:port - name: NODE_NAME valueFrom: fieldRef: apiVersion: v1 fieldPath: spec.nodeName
